US10554643B2 - Method and system to provide additional security mechanism for packaged web applications - Google Patents

Method and system to provide additional security mechanism for packaged web applications Download PDF

Info

Publication number
US10554643B2
US10554643B2 US14/578,090 US201414578090A US10554643B2 US 10554643 B2 US10554643 B2 US 10554643B2 US 201414578090 A US201414578090 A US 201414578090A US 10554643 B2 US10554643 B2 US 10554643B2
Authority
US
United States
Prior art keywords
application
parameter
redirect
value pair
runtime engine
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
US14/578,090
Other languages
English (en)
Other versions
US20150180850A1 (en
Inventor
Balaji Nerella Venkataramana
Kaushik Das
Satish Nanjunda Swamy JAMADAGNI
Prabhavathi Perumal
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Samsung Electronics Co Ltd
Original Assignee
Samsung Electronics Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Samsung Electronics Co Ltd filed Critical Samsung Electronics Co Ltd
Assigned to SAMSUNG ELECTRONICS CO., LTD reassignment SAMSUNG ELECTRONICS CO., LTD ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: DAS, KAUSHIK, JAMADAGNI, SATISH NANJUNDA SWAMY, PERUMAL, PRABHAVATHI, VENKATARAMANA, BALAJ I NEREILA
Publication of US20150180850A1 publication Critical patent/US20150180850A1/en
Application granted granted Critical
Publication of US10554643B2 publication Critical patent/US10554643B2/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities

Definitions

  • the present disclosure generally relates to web applications and more particularly to a method and system to provide an additional level of security mechanism for packaged web applications.
  • OAuth Open Authorization
  • client applications accesses users' (i.e. resource owner) protected resources (e.g., photos, videos, contact lists), which are owned by another application (i.e. resource server)
  • protected resources e.g., photos, videos, contact lists
  • resource server another application
  • the client application and the resource owner need to be authenticated by the resource server before allowing any access to the protected resources.
  • the OAuth enables resource owners to provide specific and time bound rights to access the protected resources to the client applications without having to hand out their credentials, typically username and password.
  • the OAuth is based on three-party trust federation: client application, resource server and resource owner.
  • the OAuth allows resource owners to grant rights to access their information to a third party client application, which the user cannot trust entirely.
  • the information being accessed is typically stored with another resource server.
  • This access grant is provided as a result of the client application initiating an authorization-flow.
  • the authorization flow is initiated to an authorization-endpoint (also known as authorization server, a component of resource server that handles the authorization flow).
  • authorization server Prior to the authorization-flow initiation the authorization server mandates the client application to register with itself.
  • a client identifier (ID) is assigned to the client application.
  • the client applications are issued a time-bound access-token instead of the protected data being exposed to the full extent.
  • Each access-token grants access to a specific site (e.g., a video editing site), to a specific resources (e.g., just videos from a specific album), and to specific time duration (e.g., the next 2 hours).
  • a specific site e.g., a video editing site
  • specific resources e.g., just videos from a specific album
  • specific time duration e.g., the next 2 hours.
  • the OAuth is defined only for Hyper Text Transfer Protocol (HTTP) Transport.
  • HTTP Hyper Text Transfer Protocol
  • the authorization-endpoint, redirect-endpoint should be valid HTTP URIs.
  • As the OAuth requires redirect endpoints to be the HTTP URIs packaged web applications cannot get the control back from authorization page, as they do not have HTTP end point. And therefore, as they cannot get the control back from the authorization page, the packaged web applications cannot use the OAuth mechanism in the usual way.
  • the packaged web applications to use the OAuth need support from a web runtime engine.
  • the web runtime engine can capture the redirect end point and instead of redirecting the web page associated with the URI it would notify the packaged web application with the captured redirect end point.
  • this mechanism opens up the possibility of session fixation type of attacks.
  • a malicious packaged web application can use the credentials and redirect end points of another genuine application and dupe the resource owner.
  • the client ID and the redirect URI can be seen from some other network sniffer tools and http referrer headers. Once the client ID and the redirect URI of another application is known, an attacker can package a new application using the credentials and misuse the access to the protected resource.
  • Another object of the embodiments herein is to provide a method and system to determine a match between an intercepted redirect identifier and a pre-assigned redirect identifier associated with a client application stored at a web run time engine, such as to ensure that the redirect endpoint is not that of another application.
  • Embodiments herein provide a method for authenticating a client application attempting to access a protected resource stored on a resource server.
  • the method includes receiving a request to access the protected resource at an authorization server; the request is received from the client application authorized by a resource owner of the protected resource.
  • the method further includes redirecting the request to the resource server using a redirect identifier corresponding to a redirect endpoint of the client application.
  • the redirect identifier is intercepted by a web runtime engine prior to the redirect.
  • the method includes determining a match between the intercepted redirect identifier and a pre-assigned redirect identifier associated with the client application stored at the web runtime engine to authenticate the client application prior to providing access to the protected resource.
  • Embodiments herein provide a system for authenticating a client application attempting to access a protected resource stored on a resource server.
  • the system comprising an authorization server configured to receive a request to access the protected resource. The request is received from the client application authorized by a resource owner of the protected resource. Further, the authentication server configured to redirect the request to the resource server using a redirect identifier corresponding to a redirect endpoint of the client application.
  • a web runtime engine configured to intercept the redirect identifier prior to the redirect. Further, the web runtime engine configured to determine a match between the intercepted redirect identifier and a pre-assigned redirect identifier associated with the client application stored at the web runtime engine to authenticate the client application prior to providing access to the protected resource.
  • Embodiments herein provide a computer program product comprising a computer executable program code recorded on a computer readable non-transitory storage medium, the computer executable program code when executed causing the operations including receiving a request to access a protected resource stored at a resource server. The request is received from a client application authorized by a resource owner of the protected resource. The computer executable program code when executed causing further operations including redirecting the request to the resource server using a redirect identifier corresponding to a redirect endpoint of the client application. The redirect identifier is intercepted by a web run time engine prior to the redirect.
  • the computer executable program code when executed causing further operations including determining a match between the intercepted redirect identifier and a pre-assigned redirect identifier associated with the client application stored at the web runtime engine to authenticate the client application prior to providing access to the protected resource.
  • FIG. 1 illustrates a high level overview of a system for authenticating a client application attempting to access a protected resource stored on a resource server, according to embodiments as disclosed herein;
  • FIG. 2 illustrates another high level overview of a system, where a web runtime engine is implemented separately to authenticate the client application attempting to access the protected resource stored on the resource server, according to embodiments as disclosed herein;
  • FIG. 3 is a sequence diagram illustrating various operations performed to authenticate the client application attempting to access the protected resource stored on the resource server, according to embodiments as disclosed herein;
  • FIGS. 4 a and 4 b illustrate operations of a runtime engine configured to apply an additional level of security mechanism to authenticate the client application attempting to access the protected resource, according to embodiments as disclosed herein;
  • FIG. 5 is a flow diagram illustrating a method for authenticating a client application attempting to access a protected resource, according to embodiments as disclosed herein;
  • FIG. 6 shows an example illustration for registering and authenticating a SNS application attempting to access a protected resource stored on a resource server, according to embodiments as disclosed herein;
  • FIG. 7 illustrates a computing environment implementing the method and system for authenticating a client application attempting to access the protected resource stored on the resource server, according to embodiments as disclosed herein.
  • FIGS. 1 through 7 discussed below, and the various embodiments used to describe the principles of the present disclosure in this patent document are by way of illustration only and should not be construed in any way to limit the scope of the disclosure. Those skilled in the art will understand that the principles of the present disclosure may be implemented in any suitably arranged security technologies.
  • the embodiments herein and the various features and advantageous details thereof are explained more fully with reference to the non-limiting embodiments that are illustrated in the accompanying drawings and detailed in the following description. Descriptions of well-known components and processing techniques are omitted so as to not unnecessarily obscure the embodiments herein.
  • the various embodiments described herein are not necessarily mutually exclusive, as some embodiments can be combined with one or more other embodiments to form new embodiments.
  • the embodiments herein disclose a method and system for authenticating a client application attempting to access a protected resource stored on a resource server.
  • the method includes receiving a request to access the protected resource at an authorization server.
  • the request is received from the client application authorized by a resource owner of the protected resource.
  • the method includes redirecting the request to the resource server using a redirect identifier corresponding to a redirect endpoint of the client application, wherein the redirect identifier can be intercepted by a web runtime engine prior to the redirection.
  • the redirect identifier is a configurable redirect identifier including a parameter allocated to the client application at the time of registration.
  • the parameter described herein can include for example, but not limited to, an authority, a path, a Uniform Resource Identifier (URI), a query portion of the URI, a unique value, and the like. Further, the method includes determining a match between the intercepted redirect identifier and a pre-assigned redirect identifier associated with the client application stored at the web runtime engine to authenticate the client application prior to providing access to the protected resource.
  • URI Uniform Resource Identifier
  • the method and system described herein is simple and robust for authenticating the client applications, more particularly packaged web client applications, attempting to access the protected resource.
  • An important aspect that differentiates the packaged web application from a normal web application is the scheme of the URIs of its resources.
  • the scheme part of the URI for a normal web page can either be Hyper Text Transfer Protocol (HTTP) or HTTTP Secure (HTTPS). Since the packaged web applications are installed on a device, and not fetched from any specific network location, the scheme part of the packaged web application is never http or https. Instead, the scheme part of the packaged web applications is set a proprietary value. Unlike conventional system, the web runtime engine can be used to add an additional level of security mechanism for the packaged web applications.
  • the web runtime engine itself intercepts the redirect end point (HTTP 302 responses) and then applies a level of authentication on the intercepted “redirection URL” establishing a correspondence between the packaged web application and the redirect end point (HTTP URL) and ensures that the redirect end point is not that of the another application (web application, packaged web application or an application realized by any other means) and then inform back the result of the authentication to the client application.
  • a travel application such as “trip” (www.trip.com) is attempting to access data from the Social Networking Service- 1 (SNS- 1 ) application on user account to post travel events on the wall of the SNS- 1 application.
  • the travel application “trip” can request to access data from the SNS- 1 application at the SNS- 1 authorization server.
  • the request of the travel application “trip” can be redirected to the SNS- 1 application server using a redirect identifier corresponding to a redirect endpoint of the SNS- 1 application.
  • the redirect identifier will be intercepted by the web runtime engine prior to the redirect.
  • the redirect identifier can be the URL allocated to the “trip” application at the time of registration or includes a parameter allocated to the “trip” application at the time of registration.
  • the web runtime engine determines a match between the intercepted redirect identifier and the pre-assigned redirect identifier associated with the travel application “trip” stored at the web runtime engine to authenticate the travel application “trip” prior to providing access to the data from the SNS- 1 application. If the match is determined, then the travel application “trip” is allowed to access the data from the SNS- 1 application to post travel events on the wall of the SNS- 1 application.
  • the possibility of session fixation type of attacks can be eliminated by providing an additional level of authentication mechanism for the client application attempting to access the protected resource stored in the resource server.
  • a token-less mechanism is proposed to eliminate the risk of other applications (i.e. other than the client application attempting to access the protected resource) using the credentials and redirect end points of the client application to access the protected resource.
  • the proposed method and system can be implemented using existing infrastructure and does not require extensive setup and instrumentation.
  • FIGS. 1 through 7 where similar reference characters denote corresponding features consistently throughout the figures, there are shown preferred embodiments.
  • FIG. 1 illustrates a high level overview of a system 100 for authenticating a client application attempting to access a protected resource stored on a resource server, according to embodiments as disclosed herein.
  • the system 100 can be configured to include a resource owner 102 , a client application 104 , a resource device 104 , and a resource ecosystem 112 .
  • the resource owner 102 described herein can be an owner of the resources stored in the resource ecosystem 112 .
  • the resource device 106 described herein can be for example and not limited to a laptop, a desktop computer, a mobile phone, a smart phone, a Personal Digital Assistants (PDAs), a tablet, a phablet, a server, or any other electronic device.
  • the resource owner 102 can use the resource device 106 to manage the content in the ecosystem 112 .
  • the resource device 106 includes an application agent 108 including a web runtime engine 110 .
  • the application agent 108 described herein can be for example and not limited to a browser application.
  • the client application described herein is a packaged web application typically hosted in the context of the resource ecosystem 112 .
  • the packaged web application is a web application but packaged in a specific format, and available to users for download.
  • the package contains Hyper Text Markup Language (HTML) markups and other assets required for the applications to run.
  • HTML Hyper Text Markup Language
  • the HTML pages used by the applications reside in the resource device 106 instead of in a server.
  • the packaged web applications run either over the application agent 108 (such as browser) or specialized run times provided by the web runtime engine 110 , which are also known as “Web Run Times”.
  • the web runtime is not included as a part of the resource ecosystem 112 , even though it is very closely associated with the resource ecosystem 112 and mostly designed specifically for the resource ecosystem 112 .
  • Examples of the client application 104 can include, but not limited to, an email application, a social networking site (SNS) application, an Instant Messaging (IM) application, a third party application, a trusted application, and the like.
  • the client application 104 can be configured to send an authorization request to the resource owner 102 to access or post content on behalf of the resource owner 102 in the resource ecosystem 112 .
  • the authorization server 114 includes a redirect identifier module 116 configured to register the client application 104 .
  • a redirect identifier is pre-assigned to the client application 104 .
  • the pre-assigned redirect identifier is allocated to each client application during the registration of the client application 104 with the ecosystem 112 , wherein each pre-assigned redirect identifier includes a parameter having for example but not limited to, an authority, a path, a Uniform Resource Identifier (URI), a query portion of the URI, a unique value, and the like.
  • URI Uniform Resource Identifier
  • the client application 104 uses these pre-assigned redirect identifier as its redirect endpoint(s) while registering with the authorization server 114 .
  • the web runtime engine 110 becomes aware of the pre-assigned redirect-endpoint(s) of the application and passes on redirect-endpoint(s) to the authenticator prior to redirect-endpoint interception moment.
  • the web runtime engine 110 can be configured to store the redirect identifier received from the authorization server 114 .
  • the authorization server 114 includes a redirect identifier module 116 configured to generate and assign a redirect identifier to the client application 104 .
  • the redirect identifier is a configurable redirect identifier including a parameter allocated to the client application 104 at the time of registration.
  • the parameter described herein can include for example, but not limited to, an authority, a path, the URI, a query portion of the URI, a unique value, and the like.
  • the redirect identifier module 116 can be configured to allocate either a redirect identifier in real-time.
  • the authorization server 114 can be configured to redirect the request to the resource server 120 using the redirect identifier corresponding to a redirect endpoint of the client application 104 .
  • the web runtime engine 110 can be configured to intercept the redirect identifier prior to redirecting the client application 104 to access the protected resource stored in the resource server 120 .
  • the web runtime engine 110 can be configured to determine a match between the intercepted redirect identifier and the pre-assigned redirect identifier associated with the client application 104 stored at the web runtime engine 110 to authenticate the client application 104 prior to providing access to the protected resource.
  • FIGS. 1 and 2 shows a limited overview of the system but, it is to be understood that another embodiment is not limited thereto.
  • the system can include different modules communicating among each other along with other hardware or software components.
  • the component can be, but not limited to, a process running in the electronic device, an executable process, a thread of execution, a program, or a computer.
  • an application running on an electronic device and the electronic device can be the component.
  • FIG. 3 is a sequence diagram illustrating various operations 300 performed to authenticate the client application 104 attempting to access a protected resource stored on the resource server 120 , according to embodiments as disclosed herein.
  • the client application 104 can send ( 302 ) the authorization request to the web runtime engine 110 to register with the authorization server 114 .
  • the web runtime engine 110 sends ( 304 ) the request to authorization server 114 for registering the client application 104 .
  • the authorization server 114 can be configured to pre-assign ( 306 ) a redirect identifier to the client application 104 .
  • the pre-assigned redirect identifier described herein can include a parameter having for example, but not limited to, an authority, a path, a Uniform Resource Identifier (URI), a query portion of the URI, a unique value, and the like.
  • the pre-assigned redirect identifier is allocated to each client application 104 during the registration of the client application 104 with the ecosystem 112 .
  • the client application 104 uses these pre-assigned redirect identifier as its redirect endpoint(s) while registering with the authorization server 114 .
  • the web runtime engine 110 becomes aware of the pre-assigned redirect-endpoint(s) of the client application 104 and passes on the redirect-endpoint(s) to the authenticator prior to the redirect-endpoint interception moment.
  • the authorization server 114 configured to assign ( 316 ) the redirect identifier to the client application 104 .
  • the parameter described herein can include for example, but not limited to, an authority, a path, the URI, a query portion of the URI, a unique value, and the like.
  • the redirect identifier module 116 can be configured to allocate either a redirect identifier in real-time.
  • the allocated redirect identifier can be the same as the pre-assigned redirect identifier allocated to the client application 104 at the time of registration or includes a pre-assigned parameter allocated to the client application 104 at the time of registration as a part of the redirect identifier.
  • the authorization server 114 can be configured to send the assigned redirect identifier to the web runtime engine 110 .
  • the web runtime engine 110 can be configured to intercept ( 318 ) the redirect identifier prior to redirecting the client application 104 to the resource server 120 .
  • the web runtime engine 110 can be configured to determine ( 318 ) a match between the intercepted redirect identifier and a pre-assigned redirect identifier associated with the client application 104 stored at the web runtime engine 110 to authenticate the client application 104 prior to providing access to the protected resource.
  • the web runtime engine 110 can itself intercept the redirect end point (HTTP 302 responses).
  • the web runtime engine 110 can be configured to pass the intercepted redirect identifier to another trusted application for the job of authentication.
  • a level of authentication is then applied on the intercepted “redirection URL” establishing a correspondence between the packaged web application and the redirect end point (HTTP URL) and ensure that the redirect end point is not that of the another application (web application, packaged web application or an application realized by any other means).
  • HTTP URL redirect end point
  • the web runtime engine 110 can be configured to grant ( 324 ) permission for the client application 104 to access the protected resource in response to determining the match between the redirect identifier and the pre-assigned redirect identifier.
  • the web runtime engine 110 can be configured to pass the intercepted redirect identifier to a trusted application 402 for performing the additional level of authentication as shown in the FIG. 4 b .
  • the trusted application handles the authentication activity delegated by web runtime engine 110 .
  • the trusted application 402 can be a third party application.
  • the trusted application 402 can establish a correspondence between the client application 104 and the redirect end point to ensure that the redirect endpoint is not that of another application and then inform back the result of the authentication to the web runtime engine 110 or the client application 104 or both.
  • the client application 104 can have one or more redirect-endpoints.
  • the web runtime engine 110 can be configured to establish the correspondence between the client application 104 and the redirect end point in multiple ways.
  • the web runtime engine 110 can establish the correspondence between the client application 104 and the redirect endpoint.
  • the resource ecosystem 112 can be configured to generate and assign one or more unique URIs (including an authority, a path and query parts of the URI) for the client application 104 during the time of initial registration of the client application 104 with the resource ecosystem 112 .
  • the client application 104 can use the assigned one or more URIs as redirect endpoints while registering with the authorization server 114 .
  • the web runtime engine 114 can receive the pre-assigned redirect endpoints of the client application 104 from the resource ecosystem 112 and sends the pre-assigned redirect endpoints to the web runtime engine 110 prior to redirect endpoint interception by the web runtime engine 110 .
  • the web runtime engine 110 can be configured to store the pre-assigned redirect identifier received from the authorization server 114 . During the time of redirect interception, the web runtime engine 110 can be configured to match the intercepted redirect identifier with the pre-assigned redirect endpoints. The web runtime engine 110 can be configured to declare the authentication as successful if the intercepted redirect identifier matches with the pre-assigned redirect endpoints of the client application 104 .
  • the web runtime engine 110 can be aware of the pre-assigned redirect endpoints of the client application 104 .
  • the set of pre-assigned redirect identifiers are coded into the configuration document of the client application 104 .
  • the configuration document can be transmitted to the resource device 120 during the time of application download.
  • the web runtime engine 110 can be configured to extract the pre-assigned redirect endpoints from the configuration document.
  • the set of pre-assigned redirect identifiers are coded into a separate file.
  • the file in which the pre-assigned redirect identifiers are coded can be made part of the client application 104 .
  • the web runtime engine 110 can extract the pre-assigned redirect endpoints from the file.
  • the web runtime engine 110 can establish the correspondence between the client application 104 and the redirect endpoint wherein the resource ecosystem 112 can be configured to assign the unique URIs (including an authority, a path and query parts of the URI) for the client application 104 .
  • the pre-assigned URI can be, for example, but not limited to, the identifier of an author of the application represented in the form of the URI, the identifier of the application represented in the form of the URI.
  • the client application 104 can use the pre-assigned URI as its redirect endpoint while registering with the authorization server 114 .
  • the web runtime engine 110 can be configured store the pre-assigned redirect endpoint of the client application 104 prior to redirect endpoint interception.
  • the web runtime engine 110 can be configured to match the intercepted redirect identifier with the assigned redirect-endpoint.
  • the web runtime engine 110 can be configured to declare the authentication to be successful if the intercepted redirect identifier matches with the pre-assigned redirect endpoint of the client application 104 .
  • the value of the parameter is auto-generated such that the parameter-value pair is unique across the applications in the resource ecosystem 112 but same across the resource device 106 for the client application 104 .
  • the parameter value pairs are coded into the packaging configuration document or the separate file that is part of the package.
  • the resource ecosystem 112 can assign the parameter-value pair where the parameter can be a fixed string.
  • the value of the parameter assigned shall be an identifier with which an application can be uniquely identified from within the web runtime engine 110 .
  • the unique redirect identifier should be extracted during application runtime by the web runtime engine 110 .
  • the unique identifier can be of any value.
  • the unique identifier can be the application identifier represented in the form of the numeric value or a non-URI string.
  • the web runtime engine 110 can be configured to declare the authentication to be successful if the match between the intercepted URI and the assigned parameter-value pair is determined.
  • the web runtime engine 110 can be aware of the assigned parameter-value pair for the client application 104 where the parameter can be a fixed string or an auto-generated string and the value of the parameter is either numeric value or a string auto-generated by the resource ecosystem 112 .
  • the parameter value pair can be coded into the configuration document of the packaged web application.
  • the configuration document can be transmitted to the resource device 106 during the time of application download.
  • the web runtime engine 110 can extract the assigned parameter-value pair from the configuration document.
  • the web runtime engine 110 can be aware of the assigned parameter-value pair for the client application 110 where the parameter can be a fixed string or an auto-generated string and the value of the parameter is either numeric value or a string generated by the resource ecosystem 112 , the parameter-value pair is coded into a separate file.
  • the file in which the assigned parameter value is coded can be made part of the package.
  • the web runtime engine 110 can extract the assigned redirect endpoints from the file.
  • the parameter can be a fixed string and the value of the parameter is assigned a unique identifier that can be extracted during the application runtime, the parameter-value pair for the client application 104 is synthetically created locally using the secure APIs provided by the web runtime engine 110 . In this case, parameter-value pair is never transmitted explicitly to the device where application is installed.
  • one application can have multiple redirect end points (HTTP URIs).
  • FIG. 5 is a flow diagram illustrating a method 500 for authenticating a client application attempting to access a protected resource stored on a resource server 120 , according to embodiments as disclosed herein.
  • the method 500 includes receiving a request from a client application 104 to register initially with authorization server 114 for accessing a protected resource on the resource server 120 .
  • the method 500 allows authorization server 114 to receive the request from the client application 104 to register initially with the authorization server 114 for accessing the protected resource.
  • the photo editing application can initiate an authorization flow by sending a request to the web runtime engine 110 .
  • the web runtime engine 110 can invoke user consent orchestration in order to ask user of the SNS-2 application to verify that the photo editing application should be granted access to the data from the SNS-2 application.
  • the user consent orchestration indicates the user of the SNS-2 application, the scope to which the photo editing application attempting to access the data and provide the user with the opportunity to consent or decline the access of the photo editing application to the data stored in the SNS-2 application server.
  • the method 500 includes assigning a redirect identifier to the client application 104 .
  • the method 500 allows the redirect identifier module 116 to assign the redirect identifier to the client application 104 .
  • the method 500 includes storing the assigned redirect identifier associated with the client application 104 in a web runtime engine 110 .
  • the method 500 allows the web runtime engine 110 to store the assigned redirect identifier associated with the client application 104 .
  • the assigned redirect identifier of the photo editing application will be stored in the web runtime engine 110 .
  • the method 500 includes receiving another request to access a protected resource at the authorization server 114 .
  • the method 500 allows the authorization server 114 to receive the request to access the protected resource on the resource server 120 .
  • the method 500 includes redirecting the request to the resource server 120 using the redirect identifier corresponding to a redirect endpoint of the client application 104 .
  • the method 500 allows the authorization server 114 to redirect the request to the resource server 120 using the redirect identifier corresponding to the redirect endpoint of the client application 104 .
  • the method 500 includes intercepting the redirect identifier prior to redirecting the client application 104 to the resource server 120 by the web runtime engine 110 .
  • the method 500 allows the web runtime engine 110 to intercept the redirect identifier prior to redirecting the client application 104 to the resource server 120 .
  • the web runtime engine 110 can intercept the redirect identifier prior to redirecting the photo editing application to access the data stored in the SNS-2 application server.
  • the method 500 includes determining a match between the intercepted redirect identifier and a pre-assigned redirect identifier associated with the client application 104 stored at the web runtime engine 110 to authenticate the client application 104 prior to providing access to the protected resource.
  • the method 500 allows the web runtime engine 110 to determine the match between the intercepted redirect identifier and the pre-assigned redirect identifier associated with the client application 104 to authenticate the client application 104 prior to providing access to the protected resource.
  • the pre-assigned redirect identifier can be allocated to the client application 104 during initial registration of the client application 104 with the authorization server 114 .
  • the pre-assigned redirect identifier described herein can include for example, but not limited to, an authority, a path, a Uniform Resource Identifier (URI), a query portion of the URI, a unique value, and the like.
  • the web runtime engine 110 can determine whether the intercepted redirect identifier of the photo editing application matches with the pre-assigned redirect identifier which is already stored in the web runtime engine 110 . If it is determined that at the step 514 , that the intercepted redirected identifier and the pre-assigned redirect identifier is detected to be same then, at step 518 , the method 500 includes allowing the client application 104 to access the protected resource stored on the resource server 120 .
  • URI Uniform Resource Identifier
  • the method allows the web runtime engine 110 to allow the client application 104 to access the protected resource on the resource server 120 . If it is determined that at the step 514 , that the intercepted redirected identifier and the pre-assigned redirected identifier is detected to be not same then at step 520 , the method 500 includes disallowing the client application 104 to access the protected resource stored on the resource server 120 . For example, if the redirect identifier of the photo editing application matches with the pre-assigned redirect identifier then the photo editing application will be allowed to access the data stored on the SNS-2 application server. Unlike conventional systems, the possibility of session fixation type of attacks can be eliminated by providing an additional level of authentication mechanism for the client application attempting to access the protected resource stored on the resource server. Unlike conventional systems, token less mechanism can be provided; thereby, eliminating the risk of other applications (i.e. other than the client application attempting to access the protected resource) using the credentials and redirect end points of the client application to access the protected resource.
  • FIG. 6 shows an example illustration for registering and authenticating a SNS-A application attempting to access a protected resource stored on a SNS-B application server, according to embodiments as disclosed herein.
  • the sequence of steps followed by the SNS-A application to access the data stored on the SNS-B application server are explained below:
  • Step- 1 Initially, the SNS-A application registers with the authorization server of the SNS-B application.
  • a request is sent by the SNS-A application for registering with the authorization server.
  • the authorization server can assign a redirect identifier to the SNS-A application.
  • Step- 2 Authorization server can send the pre-assigned redirect identifier to the web runtime engine.
  • the authorization server can send the pre-assigned redirect identifier to store in the web runtime engine.
  • Step- 3 Initiating an authorization flow by the SNS-A application on sending the request to the web runtime engine for accessing the data stored on the SNS-B application server.
  • Step- 4 Web runtime engine sends the authorization request to the user of the SNS-B application.
  • the web runtime engine can send the authorization request to the user of the SNS-B application.
  • Step- 5 Send the authorization grant response to the web runtime engine.
  • the web runtime engine can invoke the user consent orchestration in order to ask the user of the SNS-B application to verify that the SNS-A application should be granted access to the data stored on the SNS-B application server.
  • the user consent orchestration indicates the user, the data to which the SNS-A application is seeking access, and provides the user with the opportunity to consent or decline access of the SNS-Application to the data.
  • Step- 6 Send the authorization request to assign the redirect identifier.
  • the web runtime engine can send the authorization request to the authorization server of the SNS-B application for assigning the redirect identifier to the SNS-A application attempting to access the data stored on the SNS-B application server. Further, the authorization server can assign the redirect identifier to the SNS-A application.
  • Step- 7 The authorization server sends the assigned redirect identifier to the web runtime engine.
  • Step- 8 The Web runtime engine intercepts the redirect identifier to perform additional level of authentication.
  • the web runtime engine can intercept the redirect identifier prior to redirecting the SNS-A application to the SNS-B application server. Further, the web runtime engine can determine the match between the intercepted redirect identifier and the pre-assigned redirect identifier associated with the SNS-A application stored at the web runtime engine to authenticate the SNS-A application prior to providing access to the data.
  • Step- 9 Web runtime engine sends authorization grant to the SNS-A application to access the data stored on the SNS-B application server. If the web runtime engine determines that the intercepted identifier and the pre-assigned redirect identifier is detected to be same then the authorization grant is sent to the SNS-A application to access the data.
  • Step- 10 Access the data stored on the SNS-A application server. Upon receiving the authorization grant, the SNS-A application will access the data stored on the SNS-B application server.
  • FIG. 7 illustrates a computing environment implementing the method and system for authenticating a client application attempting to access a protected resource stored on a resource server, according to embodiments as disclosed herein.
  • the computing environment 702 comprises at least one processing unit 708 that is equipped with a control unit 704 and an Arithmetic Logic Unit (ALU) 706 , a memory 710 , a storage unit 712 , plurality of networking devices 716 and a plurality Input output (I/O) devices 714 .
  • the processing unit 708 is responsible for processing the instructions of the algorithm.
  • the processing unit 708 receives commands from the control unit in order to perform its processing. Further, any logical and arithmetic operations involved in the execution of the instructions are computed with the help of the ALU 706 .
  • the overall computing environment 702 can be composed of multiple homogeneous and/or heterogeneous cores, multiple CPUs of different kinds, special media and other accelerators.
  • the processing unit 708 is responsible for processing the instructions of the algorithm. Further, the plurality of processing units 708 can be located on a single chip or over multiple chips.
  • the algorithm comprising of instructions and codes required for the implementation are stored in either the memory unit 710 or the storage 712 or both. At the time of execution, the instructions can be fetched from the corresponding memory 710 and/or storage 712 , and executed by the processing unit 708 .
  • networking devices 716 or external I/O devices 714 can be connected to the computing environment to support the implementation through the networking unit and the I/O device unit.
  • the embodiments disclosed herein can be implemented through at least one software program running on at least one hardware device and performing network management functions to control the elements.
  • the elements shown in FIGS. 1, 2, 3 a - 3 b , 4 a - 4 b , 6 and 7 include blocks which can be at least one of a hardware device, or a combination of hardware device and software module.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Information Transfer Between Computers (AREA)
  • Storage Device Security (AREA)
US14/578,090 2013-12-20 2014-12-19 Method and system to provide additional security mechanism for packaged web applications Active US10554643B2 (en)

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
IN5960CH2013 IN2013CH05960A (enrdf_load_stackoverflow) 2013-12-20 2013-12-20
IN5960CHE/2013 2013-12-20
IN5960/CHE/2013 2014-08-04

Publications (2)

Publication Number Publication Date
US20150180850A1 US20150180850A1 (en) 2015-06-25
US10554643B2 true US10554643B2 (en) 2020-02-04

Family

ID=53401391

Family Applications (1)

Application Number Title Priority Date Filing Date
US14/578,090 Active US10554643B2 (en) 2013-12-20 2014-12-19 Method and system to provide additional security mechanism for packaged web applications

Country Status (2)

Country Link
US (1) US10554643B2 (enrdf_load_stackoverflow)
IN (1) IN2013CH05960A (enrdf_load_stackoverflow)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE102020116791A1 (de) 2020-06-25 2021-12-30 Technische Universität Dresden Vorrichtung und Verfahren zum computergestützten Verarbeiten von Daten

Families Citing this family (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
IN2013CH05960A (enrdf_load_stackoverflow) * 2013-12-20 2015-06-26 Samsung R & D Inst India Bangalore Private Ltd
EP3138011A4 (en) 2014-04-29 2017-10-18 Twitter, Inc. Inter-application delegated authentication
US20180091490A1 (en) * 2016-09-23 2018-03-29 Apple Inc. Authentication framework for a client of a remote database
CN108234400B (zh) * 2016-12-15 2021-01-22 北京金山云网络技术有限公司 一种攻击行为确定方法、装置及态势感知系统
US10454672B2 (en) * 2017-05-25 2019-10-22 Facebook, Inc. Systems and methods for preventing session fixation over a domain portal
US10838739B2 (en) 2018-04-19 2020-11-17 Circle Media Labs Inc. Network-connected computing devices and methods for executing operating programs in RAM memory
US11190514B2 (en) * 2019-06-17 2021-11-30 Microsoft Technology Licensing, Llc Client-server security enhancement using information accessed from access tokens

Citations (46)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020138660A1 (en) * 2001-03-23 2002-09-26 Bernd Eilers Method and system for the redirection of client requests
US6604143B1 (en) * 1998-06-19 2003-08-05 Sun Microsystems, Inc. Scalable proxy servers with plug-in filters
US20040172627A1 (en) * 2003-02-28 2004-09-02 Microsoft Corporation System and method for creating a runtime connection interface for attributes and element tags defined within a subclass in a markup document
US20070088611A1 (en) * 2005-05-11 2007-04-19 Christiansen Brian D Effecting ancillary actions on a transaction network
US20070180225A1 (en) * 2005-02-24 2007-08-02 Schmidt Jeffrey A Method and system for performing authentication and traffic control in a certificate-capable session
US20080114678A1 (en) * 2006-11-15 2008-05-15 David Lawrence Bennett Method and apparatus for remote authorization
US20080275888A1 (en) * 2007-05-03 2008-11-06 Gary Stephen Shuster Redirection method for electronic content
US20090328208A1 (en) * 2008-06-30 2009-12-31 International Business Machines Method and apparatus for preventing phishing attacks
US20090328142A1 (en) * 2008-06-30 2009-12-31 Industrial Technology Research Institute Systems and Methods for Webpage Verification Using Data-Hiding Technology
US20100050243A1 (en) * 2006-12-04 2010-02-25 Sxip Identify Corp. Method and system for trusted client bootstrapping
US20100083347A1 (en) * 2008-10-01 2010-04-01 International Business Machines Corporation Verifying and enforcing certificate use
US8005983B2 (en) * 2003-12-10 2011-08-23 Aventail Llc Rule-based routing to resources through a network
US20110277026A1 (en) * 2010-05-07 2011-11-10 Mugdha Agarwal Systems and Methods for Providing Single Sign On Access to Enterprise SAAS and Cloud Hosted Applications
US20120260321A1 (en) * 2011-04-07 2012-10-11 International Business Machines Corporation Method and apparatus to auto-login to a browser application launched from an authenticated client application
US20120304160A1 (en) * 2011-05-27 2012-11-29 Ridgeway Internet Security, Llc Systems and Methods for Run-Time Interception of Software Methods
US20130167196A1 (en) * 2007-06-06 2013-06-27 Boldstreet Inc. System and method for remote device recognition at public hotspots
US20140033280A1 (en) * 2012-07-25 2014-01-30 Oracle International Corporation System and method of mapping and protecting communication services with oauth
US20140033279A1 (en) * 2012-07-25 2014-01-30 Oracle International Corporation System and method of extending oauth server(s) with third party authentication/authorization
US20140033278A1 (en) * 2012-07-25 2014-01-30 Oracle International Corporation System and method of securing sharing of resources which require consent of multiple resource owners using group uri's
US8700729B2 (en) * 2005-01-21 2014-04-15 Robin Dua Method and apparatus for managing credentials through a wireless network
US20140230020A1 (en) * 2012-05-25 2014-08-14 Canon Kabushiki Kaisha Authorization server and client apparatus, server cooperative system, and token management method
US20140245417A1 (en) * 2011-10-20 2014-08-28 Alcatel Lucent Centralized secure management method of third-party application, system and corresponding communication system
US8832814B2 (en) * 2012-10-31 2014-09-09 Fmr Llc System and method for providing access to a software application
US20140282919A1 (en) * 2011-09-30 2014-09-18 British Telecommunications Public Limited Company Controlled access
US8868915B2 (en) * 2010-12-06 2014-10-21 Verizon Patent And Licensing Inc. Secure authentication for client application access to protected resources
US20140331287A1 (en) * 2011-08-04 2014-11-06 International Business Machines Corporation Authentication policy enforcement
US20140359098A1 (en) * 2013-05-28 2014-12-04 Vmware, Inc. Dynamic registration of an application with an enterprise system
US20140380428A1 (en) * 2013-06-21 2014-12-25 Canon Kabushiki Kaisha Authorization server system, control method thereof, and non-transitory computer-readable medium
US20140380429A1 (en) * 2013-06-21 2014-12-25 Canon Kabushiki Kaisha Authority delegate system, authorization server system, control method, and program
US8925050B2 (en) * 2012-10-29 2014-12-30 Oracle International Corporation Communication between authentication plug-ins of a single-point authentication manager and client systems
US8935757B2 (en) * 2011-09-29 2015-01-13 Oracle International Corporation OAuth framework
US20150089623A1 (en) * 2011-09-29 2015-03-26 Oracle International Corporation Service profile-specific token attributes and resource server token attribute overriding
US9038142B2 (en) * 2013-02-05 2015-05-19 Google Inc. Authorization flow initiation using short-term wireless communication
US20150145647A1 (en) * 2012-04-27 2015-05-28 Lock Your World Gmbh & Co. Kg Electronic Key, Electronic Closure System and a Method for Allowing an Access Authorization
US20150180850A1 (en) * 2013-12-20 2015-06-25 Samsung Electronics Co., Ltd. Method and system to provide additional security mechanism for packaged web applications
US9104848B2 (en) * 2013-05-08 2015-08-11 International Business Machines Corporation Cross-platform authentication from within a rich client
US9148548B2 (en) * 2013-11-15 2015-09-29 Ricoh Company, Ltd. Card authentication for OAuth supported cloud services on a multi-function device
US9160731B2 (en) * 2013-09-06 2015-10-13 International Business Machines Corporation Establishing a trust relationship between two product systems
US9165134B2 (en) * 2011-03-08 2015-10-20 Telefonica, S.A. Method for providing authorized access to a service application in order to use a protected resource of an end user
US9201634B2 (en) * 2011-06-09 2015-12-01 Samsung Electronics Co., Ltd Method and system for controlling user experience with an application on a client device
US9225532B2 (en) * 2010-12-06 2015-12-29 Verizon Patent And Licensing Inc. Method and system for providing registration of an application instance
US20160044023A1 (en) * 2014-01-30 2016-02-11 Globalfoundries Inc. Authentication policy enforcement
US9300746B2 (en) * 2010-09-22 2016-03-29 Canon Kabushiki Kaisha Information processing apparatus and control method therefor
US20160164685A1 (en) * 2014-08-21 2016-06-09 International Business Machines Corporation Secure connection certificate verification
US9497180B2 (en) * 2013-10-21 2016-11-15 Intel IP Corporation Content access authentication for dynamic adaptive streaming over hypertext transfer protocol
US20170026186A1 (en) * 2015-07-26 2017-01-26 Fortinet, Inc. Detection of fraudulent digital certificates

Patent Citations (52)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6604143B1 (en) * 1998-06-19 2003-08-05 Sun Microsystems, Inc. Scalable proxy servers with plug-in filters
US20020138660A1 (en) * 2001-03-23 2002-09-26 Bernd Eilers Method and system for the redirection of client requests
US20040172627A1 (en) * 2003-02-28 2004-09-02 Microsoft Corporation System and method for creating a runtime connection interface for attributes and element tags defined within a subclass in a markup document
US8005983B2 (en) * 2003-12-10 2011-08-23 Aventail Llc Rule-based routing to resources through a network
US8700729B2 (en) * 2005-01-21 2014-04-15 Robin Dua Method and apparatus for managing credentials through a wireless network
US20070180225A1 (en) * 2005-02-24 2007-08-02 Schmidt Jeffrey A Method and system for performing authentication and traffic control in a certificate-capable session
US20070088611A1 (en) * 2005-05-11 2007-04-19 Christiansen Brian D Effecting ancillary actions on a transaction network
US20080114678A1 (en) * 2006-11-15 2008-05-15 David Lawrence Bennett Method and apparatus for remote authorization
US20100050243A1 (en) * 2006-12-04 2010-02-25 Sxip Identify Corp. Method and system for trusted client bootstrapping
US20080275888A1 (en) * 2007-05-03 2008-11-06 Gary Stephen Shuster Redirection method for electronic content
US20130167196A1 (en) * 2007-06-06 2013-06-27 Boldstreet Inc. System and method for remote device recognition at public hotspots
US20090328142A1 (en) * 2008-06-30 2009-12-31 Industrial Technology Research Institute Systems and Methods for Webpage Verification Using Data-Hiding Technology
US20090328208A1 (en) * 2008-06-30 2009-12-31 International Business Machines Method and apparatus for preventing phishing attacks
US20100083347A1 (en) * 2008-10-01 2010-04-01 International Business Machines Corporation Verifying and enforcing certificate use
US20110277026A1 (en) * 2010-05-07 2011-11-10 Mugdha Agarwal Systems and Methods for Providing Single Sign On Access to Enterprise SAAS and Cloud Hosted Applications
US9300746B2 (en) * 2010-09-22 2016-03-29 Canon Kabushiki Kaisha Information processing apparatus and control method therefor
US8868915B2 (en) * 2010-12-06 2014-10-21 Verizon Patent And Licensing Inc. Secure authentication for client application access to protected resources
US9225532B2 (en) * 2010-12-06 2015-12-29 Verizon Patent And Licensing Inc. Method and system for providing registration of an application instance
US9165134B2 (en) * 2011-03-08 2015-10-20 Telefonica, S.A. Method for providing authorized access to a service application in order to use a protected resource of an end user
US20120260321A1 (en) * 2011-04-07 2012-10-11 International Business Machines Corporation Method and apparatus to auto-login to a browser application launched from an authenticated client application
US20120304160A1 (en) * 2011-05-27 2012-11-29 Ridgeway Internet Security, Llc Systems and Methods for Run-Time Interception of Software Methods
US9201634B2 (en) * 2011-06-09 2015-12-01 Samsung Electronics Co., Ltd Method and system for controlling user experience with an application on a client device
US20140331287A1 (en) * 2011-08-04 2014-11-06 International Business Machines Corporation Authentication policy enforcement
US8935757B2 (en) * 2011-09-29 2015-01-13 Oracle International Corporation OAuth framework
US9197623B2 (en) * 2011-09-29 2015-11-24 Oracle International Corporation Multiple resource servers interacting with single OAuth server
US20150089623A1 (en) * 2011-09-29 2015-03-26 Oracle International Corporation Service profile-specific token attributes and resource server token attribute overriding
US20140282919A1 (en) * 2011-09-30 2014-09-18 British Telecommunications Public Limited Company Controlled access
US20140245417A1 (en) * 2011-10-20 2014-08-28 Alcatel Lucent Centralized secure management method of third-party application, system and corresponding communication system
US20150145647A1 (en) * 2012-04-27 2015-05-28 Lock Your World Gmbh & Co. Kg Electronic Key, Electronic Closure System and a Method for Allowing an Access Authorization
US20140230020A1 (en) * 2012-05-25 2014-08-14 Canon Kabushiki Kaisha Authorization server and client apparatus, server cooperative system, and token management method
US9118653B2 (en) * 2012-07-25 2015-08-25 Oracle International Corporation System and method of secure sharing of resources which require consent of multiple resource owners using group URI's
US20140033280A1 (en) * 2012-07-25 2014-01-30 Oracle International Corporation System and method of mapping and protecting communication services with oauth
US20140033279A1 (en) * 2012-07-25 2014-01-30 Oracle International Corporation System and method of extending oauth server(s) with third party authentication/authorization
US8806595B2 (en) * 2012-07-25 2014-08-12 Oracle International Corporation System and method of securing sharing of resources which require consent of multiple resource owners using group URI's
US9009787B2 (en) * 2012-07-25 2015-04-14 Oracle International Corporation System and method of mapping and protecting communication services with OAuth
US20140033278A1 (en) * 2012-07-25 2014-01-30 Oracle International Corporation System and method of securing sharing of resources which require consent of multiple resource owners using group uri's
US8782411B2 (en) * 2012-07-25 2014-07-15 Oracle International Corporation System and method of extending oauth server(s) with third party authentication/authorization
US8925050B2 (en) * 2012-10-29 2014-12-30 Oracle International Corporation Communication between authentication plug-ins of a single-point authentication manager and client systems
US20150082398A1 (en) * 2012-10-29 2015-03-19 Oracle International Corporation Communication between authentication plug-ins of a single-point authentication manager and client systems
US8832814B2 (en) * 2012-10-31 2014-09-09 Fmr Llc System and method for providing access to a software application
US9038142B2 (en) * 2013-02-05 2015-05-19 Google Inc. Authorization flow initiation using short-term wireless communication
US9104848B2 (en) * 2013-05-08 2015-08-11 International Business Machines Corporation Cross-platform authentication from within a rich client
US20140359098A1 (en) * 2013-05-28 2014-12-04 Vmware, Inc. Dynamic registration of an application with an enterprise system
US20140380428A1 (en) * 2013-06-21 2014-12-25 Canon Kabushiki Kaisha Authorization server system, control method thereof, and non-transitory computer-readable medium
US20140380429A1 (en) * 2013-06-21 2014-12-25 Canon Kabushiki Kaisha Authority delegate system, authorization server system, control method, and program
US9160731B2 (en) * 2013-09-06 2015-10-13 International Business Machines Corporation Establishing a trust relationship between two product systems
US9497180B2 (en) * 2013-10-21 2016-11-15 Intel IP Corporation Content access authentication for dynamic adaptive streaming over hypertext transfer protocol
US9148548B2 (en) * 2013-11-15 2015-09-29 Ricoh Company, Ltd. Card authentication for OAuth supported cloud services on a multi-function device
US20150180850A1 (en) * 2013-12-20 2015-06-25 Samsung Electronics Co., Ltd. Method and system to provide additional security mechanism for packaged web applications
US20160044023A1 (en) * 2014-01-30 2016-02-11 Globalfoundries Inc. Authentication policy enforcement
US20160164685A1 (en) * 2014-08-21 2016-06-09 International Business Machines Corporation Secure connection certificate verification
US20170026186A1 (en) * 2015-07-26 2017-01-26 Fortinet, Inc. Detection of fraudulent digital certificates

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
NPL Search (Google Scholar) (Year: 2019). *

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE102020116791A1 (de) 2020-06-25 2021-12-30 Technische Universität Dresden Vorrichtung und Verfahren zum computergestützten Verarbeiten von Daten
US11783038B2 (en) 2020-06-25 2023-10-10 Technische Universitat Dresden Device and method for computer-aided processing of data
DE102020116791B4 (de) 2020-06-25 2025-09-11 Technische Universität Dresden Vorrichtung und Verfahren zum computergestützten Verarbeiten von Daten

Also Published As

Publication number Publication date
US20150180850A1 (en) 2015-06-25
IN2013CH05960A (enrdf_load_stackoverflow) 2015-06-26

Similar Documents

Publication Publication Date Title
US10554643B2 (en) Method and system to provide additional security mechanism for packaged web applications
US10445487B2 (en) Methods and apparatus for authentication of joint account login
US10225260B2 (en) Enhanced authentication security
CN111783067B (zh) 多网站间的自动登录方法及装置
US9338007B1 (en) Secure delegated authentication for applications
JP5704518B2 (ja) 機密情報漏洩防止システム、機密情報漏洩防止方法及び機密情報漏洩防止プログラム
US9369286B2 (en) System and methods for facilitating authentication of an electronic device accessing plurality of mobile applications
CN105991614B (zh) 一种开放授权、资源访问的方法及装置、服务器
US20210168611A1 (en) Method for securely sharing a url
US20170187705A1 (en) Method of controlling access to business cloud service
US11930038B2 (en) Processing refresh token request at application programming interface (API) gateway
US9954847B2 (en) Computer readable storage media for legacy integration and methods and systems for utilizing same
US8661519B2 (en) Redirection using token and value
US9154497B1 (en) Maintaining accountability of a shared password among multiple users
US11882120B2 (en) Identity intermediary service authorization
EP3036674B1 (en) Proof of possession for web browser cookie based security tokens
US20160269420A1 (en) Apparatus for verifying safety of resource, server thereof, and method thereof
CN105119916A (zh) 一种基于http的认证方法及系统
US20160366172A1 (en) Prevention of cross site request forgery attacks
Popov et al. Token Binding over HTTP
US10313349B2 (en) Service request modification
CN106330818B (zh) 客户端内嵌页面的保护方法和系统
KR102035396B1 (ko) SDN의 보안 인증을 강화하기 위하여 FIDO UAF에 사용자를 식별하기 위한 Open ID IDP를 적용하는 인증 방법 및 인증 장치
Popov et al. RFC 8473: Token Binding over HTTP
Reynders Securing APIs

Legal Events

Date Code Title Description
AS Assignment

Owner name: SAMSUNG ELECTRONICS CO., LTD, KOREA, REPUBLIC OF

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:VENKATARAMANA, BALAJ I NEREILA;DAS, KAUSHIK;JAMADAGNI, SATISH NANJUNDA SWAMY;AND OTHERS;REEL/FRAME:034561/0654

Effective date: 20141216

STPP Information on status: patent application and granting procedure in general

Free format text: NON FINAL ACTION MAILED

STPP Information on status: patent application and granting procedure in general

Free format text: RESPONSE TO NON-FINAL OFFICE ACTION ENTERED AND FORWARDED TO EXAMINER

STPP Information on status: patent application and granting procedure in general

Free format text: NOTICE OF ALLOWANCE MAILED -- APPLICATION RECEIVED IN OFFICE OF PUBLICATIONS

STPP Information on status: patent application and granting procedure in general

Free format text: PUBLICATIONS -- ISSUE FEE PAYMENT VERIFIED

STPP Information on status: patent application and granting procedure in general

Free format text: PUBLICATIONS -- ISSUE FEE PAYMENT VERIFIED

STCF Information on status: patent grant

Free format text: PATENTED CASE

MAFP Maintenance fee payment

Free format text: PAYMENT OF MAINTENANCE FEE, 4TH YEAR, LARGE ENTITY (ORIGINAL EVENT CODE: M1551); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

Year of fee payment: 4